Help request: Virtumod.h and ErrorSafe

All
My sons desktop appears to infected with virtumod.h and that blaster ErrorSafe thing. I have followed the instruction posted by chaslang : 10-07-06.

Bitdefender has found c:\windows\system\mp3drv.dll is infected with virtumod.h but unfortunately it can not be deleted. I've trolled the web looking for existing solution and probably introduced new problems in the process. I think?? I have removed these but virtumod remains. Any suggestions? Also can I permanently remove ErrorSafe from ever interfering with our lives again?

Find logs attached
Bitdefender
PandaActiveScan
GetRunKey

I will follow up with the ShowNew log

Thanks in advance,
aravant

 

Here is the ShowNew log

aravant

 

HJT log

 

Please see the below thread on how to install and run VundoFix.

• Virtumonde aka Trojan Vundo Fix w/ Tool ...

Once you complete the scan above, attach the log from the scan, also attach a fresh HJT log and with a fresh Panda log.

 

Many thanks bjgarrick.

I had already run Vunfofix but I re downloded the exe and ran again. Curious that the scan took seconds to run and gave the following messages:
"Done searching for files. No infected files were found".
"No files were found. Vundofix v6.2.11 will now close".

Note that the opportunity to save a log file was not given and there was no request to reboot the computer. This was identical result on my previous attempt to run the exe. Does this sound normal?

Find new HJT and Panda Logs attached.

Again thank you for your assistance,
aravant

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\dgqpsmxf.dll
O2 - BHO: (no name) - {7797F524-B819-42d0-B35A-0DACAF93E977} - C:\WINDOWS\system32\kleidmsh.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\higvhwgf.dll

O4 - HKLM\..\Run: [Symantec Configuration Loader] ccApp32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Symantec Configuration Loader] ccApp32.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZH

O20 - Winlogon Notify: mp3drv - C:\WINDOWS\system\mp3drv.dll

O23 - Service: Symantec Configuration Loader (SymantecCfgLoad32) - Unknown owner - C:\WINDOWS\System32\ccApp32.exe" -service (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Configuration Loader (SymantecCfgLoad32)
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSymantecCfgLoad32 into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

bjgarick

Find attached the new HJT log. I had to reboot a few times as XP kept hanging up or was extremely slow to start up (after the "Loading your personal settings" screen). Things seem to be getting normal the more I reboot.

ErrorSafe Additional Feature remains in the "Add or Remove Programs" list.

aravant

 

Can you uninstall? Does it give any errors?

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\xciidsac.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\higvhwgf.dll (file missing)

O20 - Winlogon Notify: mp3drv - C:\WINDOWS\system\mp3drv.dll

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\xciidsac.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system\mp3drv.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete this post reboot once more and attach a fresh HJT log.

 

BJgarrick

I cannot uninstall ErrorSafe from "Add or Remove Programs". All requests to remove are simply ignored. No error message.

Even after executing you last set of instructions mp3drv.dll remains. In fact before I received your last reply I went through the "READ & RUN ME FIRST Before Asking for Support" instructions and Panda found heaps of problems.

I am attaching the latest HJT log as well as PandaActive, BitDefender and ShowNew.

Thanks for your persistence,
aravant

 

bjgarrick

The remaining files.

By the way, your instruction regarding higvhwgf.dll

"O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\higvhwgf.dll (file missing)"

When I ran HJT yesterday the entry was exactly as you typed. However this morning (following may reboots whilst following "READ & RUN ME FIRST Before Asking for Support" instructions), the (file missing) part was absent. Is this important?

Should I go and flush my System Restore points?

aravant

 

Download Your Uninstaller! 2006 5.0.0.256, save to desktop and install.

Locate ErrorSafe Additional Feature and uninstall this way. Probably would be better to do this In Safe Mode. Once you complete this, reboot to normal mode and follow the below.


Okay let's start by downloading two tools we will need:

- Process Explorer 10.21

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mp3drv.dll, ascjgusl.dll, hqkuevwl.dll once and then click the kill button. After you have killed all of the mp3drv.dll, ascjgusl.dll, hqkuevwl.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of mp3drv.dll, ascjgusl.dll, hqkuevwl.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\ascjgusl.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\hqkuevwl.dll

O20 - Winlogon Notify: mp3drv - C:\WINDOWS\system\mp3drv.dll


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\system\mp3drv.dll
C:\WINDOWS\system32\ascjgusl.dll
C:\WINDOWS\system32\hqkuevwl.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Bjgarrick

Well 1 out of 2 ain't bad. ErrorSafe appears to have gone but the latest HJL still has mp3drv.dll. Is this a super bug or what?

aravant

 

Bjgarrick

1000 apologies. I missed a step. On second reading I saw that I did not go into "explorer.exe" duing the Process Explorer phase. I repeated ALL your instructions this time and have posted a new HJT log. Fingers crossed, mp3drv.dll is not on the log.

I noticed that bitdefender does find a copy of mp3drv.dll in the C:\!Killbox directory. BitDefender deletes the file. Is this normal?

aravant

 

Before we do anything else I want you to delete the folder C:\!Killbox to remove all of the backups.

Next I would like a fresh Panda scan log and a fresh Hijack This log from normal mode. I want to confirm these baddies are gone.

 

bjgarrick

Find the requested logs attached. Prior to receivier your reply I ran Spydoctor and it found 369 low level virus plus DSSAgent and BackdoorRetro64.

BitDefender found and deleted files with
AvenueA, Inc
Clickbank
DoubleClick
GoClick
FunWebProducts
Smifraud-C.Toolbar888
Myway.Mywebsearch

Good news is noe ErrorSafe and virtumond.h appear gone.

aravant

 

Did you purchase Spyware Doctor or AVG Anti-Spyware 7.5?

If not I want you to uninstall Windows Defender, Spyware Doctor and AVG Anti-Spyware. These are blocking parts of my fixes, which is most likely the cause your infections are still present.

Uninstall these and attach a fresh HJT log to your next post.

 

BJgarrick

Like the new icon. I've been out of town the last week. Windows defender, Spyware Doctor and AVG have been uninstalled. Find a new HJT log attached.

aravant

 

Since it's been a while, I also need a fresh Panda log.

 

Bjgarrick

Find PandaActive log attched.

aravant

 

Let's get a fresh HJT log and we will go from there.

 

bjgarrick

Find a new HJT log attached.

aravant

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\eourcstp.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\clxgnoap.dll

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Once you have completed the above, reboot once more and run one last Panda scan. Once completed attach the log with a fresh HJT log.

 

bjgarrick

Followed your instructions in safe mode. The only exceptions were I could not find the following files to do the Pocket KillBox thing:

C:\WINDOWS\system32\eourcstp.dll (you mentioned this one twice in your post)
C:\WINDOWS\system32\clxgnoap.dll

Find the Panda and HJT logs attached. HJT mentions a file named soundman.exe.

O23 - Service: SoundMan - Unknown owner - C:\WINDOWS\System32\soundman.exe" -service (file missing)

A few years back I had issues with this file as it was infected with some virus. Can't remember how I eventually cleaned it. I thought I blew it away using some Symantec fix. Should I "fix" it the next time I run HJT?

aravant

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now delete these two folders:
C:\!KillBox

C:\Program Files\HJT

Once you complete this post your log will be clean. Are you having any further problems?

 

bjgarrick

Windows does not know what to do when double clicking fixme.reg. I am prompted to select either to use a web service to find an appropriate program or select one myself. Did I miss a step?

aravant

 

Try this, be sure you copy everything in bold.

 

bjgarrick

Same result. Basically my version of Windows Explorer does not know what to do with files with the extension*.REG

Going to the web service (one of the options I am presented when I double click on fixme.reg) leads me to the following site where it suggests all I have to do is to double click to get the registry repair to function.

http://filext.com/detaillist.php?extdetail=REG

Any clues what to do next?

aravant

 

Copy all of the below, paste it Notepad and save as "fixregistry.reg"

Then click start > run > type in regedit, when registry editor opens click file > import and point it to this file you just saved.

After you do this, you should be able to merge the previous file.

 

bjgarrick

All worked well this time. No idea what we did but hey if works I'm not complaining!

Ran Bit Defender - no issues.
Ran Panada ActiveScan - 9 spyware and 1 hacker progs (see log). They looked low level so I manually deleted them.

Now that everything looks ok, do I need buy some protection? What do you recommend?

From 13 December post (copied below), should I delete soundman.exe just to be on the safe side? Should I reload HJT and fix it?


From 13 Dec
HJT mentions a file named soundman.exe.

O23 - Service: SoundMan - Unknown owner - C:\WINDOWS\System32\soundman.exe" -service (file missing)

A few years back I had issues with this file as it was infected with some virus. Can't remember how I eventually cleaned it. I thought I blew it away using some Symantec fix. Should I "fix" it the next time I run HJT?

aravant

 

Your logs are clean, the file "soundman.exe" refers to a Realtek Soundcard, it's legit. The (file missing) is a bug in HJT, it's not really missing.

Also, your panda log, run CCleaner to address these detections. These are not a threat, cookies are not malicious in anyway. They are flagged by many antispy prorgams for some reason. Each time you open a browser you will have cookies, it's normal.

 

bjgarrick

Many thanks for the guidance and persistence.

aravant

 

Your Welcome!

You should see this article on How to Protect yourself from malware!